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Abstract. Dynamical systems generated by iterations of multi- 
variate polynomials with slow degree growth have proved to admit 
good estimates of exponential sums along their orbits which in 
turn lead to rather stronger bounds on the discrepancy for pseu- 
dorandom vectors generated by these iterations. Here we add new 
arguments to our original approach and also extend some of our 
recent constructions and results to more general orbits of poly- 
nomial iterations which may involve distinct polynomials as well. 
Using this construction we design a new class of hash functions 
from iterations of polynomials and use our estimates to motivate 
their "mixing" properties. 
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1. Introduction 

1.1. Background. For a system of m+1 polynomials J-" = {/o, . . . , fm} 
in m -|- 1 variables over a ring TZ one can naturally define a dynamical 
system generated by its iterations: 

= /., ft^=ft"\f0,...Jml k = l,2... , 

for each i = 0, . . . ,m, see [HI [121 (201 HU UHl [H] and references therein 
for various aspects of such dynamical systems. In particular, the length 
and the distribution of elements in the orbits of such dynamical sys- 
tems, starting from an initial value {uo^, . . . , uo,m) £ T^"*"*"^, have been 
of primal interest. 

In the special case of one linear univariate polynomial over a residue 
ring or a finite field such iterations are known as linear congruential 
generators, which have been successuUy used for decades in Quasi- 
Monte Carlo methods, see [311 [32] . On the other hand, in crypto- 
graphic settings, such linear generators have been the subject of various 
attacks [H [131 (SB (SSI [27] and thus are not recommended for crypto- 
graphic purposes. It should be noted that nonlinear generators have 
also been attacked [H [2], [TU [17] , but the attacks are much weaker and 
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do not rule out their use for cryptographic purposes (provided reason- 
able precautions are made). Although linear congruential generators 
have been used quite sucessfuUy for Quasi-Monte Carlo methods, their 
linear structure shows in these applications too and often limits their 
applicability, see [311 [32] . 

Motivated by these potential applications, the statistical uniformity 
of the distribution (measured by the discrepancy) of one and multidi- 
mensional nonlinear polynomial generators have been intensively stud- 
ied in [ISl HSl E31 EH E51 US]- However, all previously known results 
are nontrivial only for those polynomial generators that produce se- 
quences of extremely large period, which could be hard to achieve in 
practice. The reason behind this is that the degree of iterated polyno- 
mial systems grows exponentially, and that in all previous results on 
the general case the saving over the trivial bound has been logarithmic. 
Moreover, it is easy to see that in the one dimensional case (that is, for 
m = 0) the exponential growth of the degree of iterations of a nonlinear 
polynomial is unavoidable. One also expects the same behaviour in the 
mulitidimensional case for "random" polynomials /q, . . . , /„,. However, 
as it has been shown in [57] for some specially selected polynomials 
fo, ■ ■ ■ , fm the degree may grow significantly slower, a result that leads 
to much better estimates of exponential sums, and thus of discrepancy, 
for vectors generated by these iterations. 

Furthermore, it is shown in [36j, that in the case when such a polyno- 
mial map generates a permutation of the corresponding vector space, 
one can get better results "on average" over all initial values. It is also 
noticed in [35] that in fact one can avoid the use of the Weil bound 
(see [2S1 Chapter 5]) of exponential sums and achieve a better result 
with a more elementary argument. 



1.2. Our results. Here, as in [36], we continue to study the poly- 
nomial systems of [37] and exploit the linearity with respect to one 
variable and polynomial degree growth with respect to the other vari- 
ables. This leads to a direct improvement of the results of [57]. This 
new approach also allows us to consider a slightly more general poly- 
nomial dynamical systems, where at each step a different polynomial 
map can be used, thus extending those of [37] . The argument is based 
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on an elementary identity for exponential sums with linear polynomials 
and also on counting zeros of multivariate polynomials in finite fields. 

We remark that since the Weil bound is not needed anymore, one 
can certainly obtain analogues of our results for residue rings (although 
counting the number of solutions of multivariate polynomial congru- 
ences may require more efforts than in the finite field settings). 

Furthermore, in [361 EZ] only the truncated vectors (consisting of 
m components of the total output (m + l)-dimensional vectors) are 
investigated. Here we show that in fact the whole output vectors can 
be studied, however for this we require a very deep result of Bourgain, 
Glibichuk and Konyagin [B] (for generalisation to residue rings one can 
also use the results of [3l H]). 

Finally, we propose a construction of a hash function from polyno- 
mial maps. Although we make no claims of security or efficiency, we 
note that our results show that this hash function has "random-like" 
behaviour. 

Hash functions from walks on the set of isogenous elliptic curves 
generated by low degree isogenics, and their cryptographic applications, 
are considered in [TJ [T2]. Alternatively these walks can be described 
as sequences of rational function transformations on the coefficients of 
Weierstrass equations on elliptic curves, see |12] for a background. We 
hope that our results maybe useful for studying further properties of 
such walks, for example, in showing that the hash function of [711I9] has 
sufficiently uniformly distributed outputs and maybe used as a secure 
pseudorandom number generator. 



2.1. Polynomial systems. Let F be an arbitrary field. As in [37J, 
we consider a system J-" = {Fq, . . . , F^} of m + 1 polynomials in 
F[Xo, . . . , Xm] satisfying the following conditions 



2. Construction 





(1) 
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where 



m — 1. 



We also impose the condition that each polynomial Gi, i = 0, . . . , m—l, 
has the unique leading monomial X^"^^ . . . Xm"" , that is, 



(2) G'j(Xj_|_i, 
where 

(3) g^ e ¥\ 



■ ■ ■ , Xm) 



deg^^ Hi < s 



for i = 0, . . . ,m — 1, j = i + 1, . . . ,771. 

Given an integral upper triangular matrix 



(4) 



S 



/l So,! So.2 
1 Si,2 



■Si, TO 



\0 







define ^{S, m) the set of all such polynomial systems of the form ([T]) 
satisfying the conditions ([2]) and Q. 

For an integer m > 1 and an integral matrix S of the form (j4]), we 
consider a sequence of, not necessarily distinct, polynomial systems 



(5) 



J^k = {Fk,o, Fk,m} e d{S, 7n) 



A; = 1,2 



We consider the sequence of polynomials f/"''' defined by the recurrence 
relation 



(6) 



(0) 



Xi 



F,,{Ft'\...,F^^-% A: = 1,2, 



In particular, J^q denotes the identity map. 

As in [Sni Lemma 1], we have the following characterization of the 
polynomials F^^\ which in turn generalises and refines [371 Lemma 1]. 
We note that unfortunately in [37] the unique leading monomial con- 
dition ([3]) is given in the form deg Gi < deg Gi instead of the required 
degxj Gi < degxj Gj, < i < j < m, that is actually used in the proof 
of [371 Lemma 1]. 



ITERATIONS OF MULTIVARIATE POLYNOMIALS 5 

Lemma 1. Let Tk G ^{S,m) be a sequence of polynomial systems ([5]). 
Then for the polynomials F^''^ given by ([6]) we have 

where Gk,i, Hk,i G F[Xi+i, . . . , X^] and 

degGk.i = 7 — ^——Tk'^~'si^i+i...Sm-i,m + 'ipi{k), <i <m-l, 
[m — t)l 

deg Gk,m = 0, 

with some polynomials ipi{T) G Q[T] of degree deg?/', < m — i. 
Proof Writing F^^i = XiGk,i + Hk.i we get 

p{k) _ p{k-l)Q . ( p{k-l) p(k-l)\ p(k-l) p{k-l)\ 

Thus an easy inductive argument implies that 

^ = XiGk,i{Xi+i, . . . , Xm) + Hk^i{Xi^i, . . . , Xm) 

for some polynomials Gk i,Hki G F[Xj+i, . . . , Xm], where i = 0, . . . ,m, 
k = l,2,.... 

For the asymptotic formulas for the degrees of the polynomials Gk,i 

see [371 Lemma 1] where it is given for degF^'^''. We note that in [37] 
only the case when at each step the same polynomial system J-^ = J-" is 
applied but the proof holds for distinct systems J^k G d{S, m) without 
any changes. Indeed, let 

dk,i = deg{XiGk,i) = 1 + deg Gk,i, i = 0,. . . ,m, k = 1,2 

Then the result follows immediately from the recursive formula 

{dkfl, . . . , dk,mY = ■ ■ ■ A) 

implied by ([2]) and ([3]), where 

/I ■5o,l -50,2 • • • -50, 
^ _ 1 Si^2 ■ ■ ■ Si^ri 

yo ... 1 y 

and means the transposition of the vector d, see the proof of [STJ 
Lemma 1] for more details. □ 
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2.2. Vector sequences. Given a sequence of polynomial systems ([5]), 
we fix a vector v G F™+^ and consider the sequence defined by a recur- 
rence congruence modulo a prime p of the form 

(7) = i^„+i,i(«n,o, • • • , Un,m) (mod p), n = 0, 1, . . . , 

with some initial values 

(m0,0, • • • ,MO,m) = V. 

We also assume that < Un,i < p, i = 0, . . . ,m, n = 0,1, . . .. 
Using the following vector notation 

we have the recurrence relation 

w„ = J>,,(w„_i), n = l,2,.... 
In particular, for any n,k > and z = 0, . . . , m we have 

where the polynomials F^^\ i = 0, . . . ,m, k = 1,2, . . ., are given by ([6]). 
Clearly the sequence of vectors w„ is eventually periodic with some pe- 
riod T < p"^+^. We always assume that the sequence is purely periodic, 
that is, 

W„+^ = W„, 72 = 0, 1, ... . 

As in [36l EZ] , we sometimes discard the last component and define the 
truncated vectors 

(^n,0! • • • ! ^n,m— l) 

However, here we introduce a new argument which allows us sometimes 
to study full vectors w„. 

3. Exponential Sums and Discrepancy 

3.1. Preliminaries. Assume that the sequence {u„} generated by ([7j) 
is purely periodic with an arbitrary period r. For integer vectors a = 
(ao, . . . , a-m-i) £ and b = {bo, . . . , bm) G 2™+^ we introduce the 
exponential sums 

N-l /m-1 \ N-1 / m 

Sa{N) = ep I ^ aiUn,i j and Tb(A^) = ^^pi^ 
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where 

ep{z) = exp{2iTiz / p) . 

Clearly, if b = (oq, . . . , a^-i, 0) then we simply have Sa{N) = Tb(A^), 
thus the sums Tb(A^) are direct generalisations of the sums S'a(iV) that 
have been treated in EZ] • Here we show that together with some ad- 
ditional arguments, one can obtain similar results for the sums Tb(A^). 

Bounds of these sums can be used to estimate the discrepancy of 
the corresponding sequences, which is a widely accepted quantitative 
measure of uniformity of distribution of sequences, and thus good pseu- 
dorandom sequences should (after an appropriate scaling) have a small 
discrepancy, see 



Given a sequence F of iV points 

(8) r={(7„,i,...,7n,.)t-o} 

in the s-dimensional unit cube [0, 1)* it is natural to measure the level 
of its statistical uniformity in terms of the discrepancy A(r). More 
precisely, 

Tr{B) 



A(r) = sup 



B 



N 

where Ty{B) is the number of points of F inside the box 

5 = [ai,/3i)x...x[a„/3,)C[0,l)^ 

and the supremum is taken over all such boxes, see P 

Typically the bounds on the discrepancy of a sequence are derived 
from bounds of exponential sums with elements of this sequence. The 
relation is made explicit in the celebrated Erdos-Turan-Koksma in- 
equality, see in Theorem 1.21], which we present in the following form. 

Lemma 2. There exists a constant Cg depending only on s such that for 
any integer H > 1 and any sequence T of N points (IHD the discrepancy 
A(r) satisfies the following bound: 



A{T)<cJ- + - y f]-^ 

\ 0<|h|<_ffj=l ' 



7V-1 / s 

^ exp I l-ni ^ /;,j7„, 

n=0 \ 3=1 



where the sum is taken over all integers vectors h = {hi, . . . , hg) € Z'^ 
with |h| = maxj=i^...^s \hj\ < H . 
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We always assume that a finite field ¥p of p elements is represented 
by the set {0, 1, ... ,p — 1}. So for u G Fp we always have u/p G [0, 1) 
and thus we can talk about the discrepancy of vectors over ¥p after 
scaling them by 1/p. 

Throughout the paper, the implied constants in the symbols 'O' and 
may occasionally, where obvious, depend on the matrix S and 
the integer m > 1 (and are absolute otherwise). We recall that the 
notations A = 0{B) and A B are all equivalent to the assertion 
that the inequality |^| < cB holds for some constant c > 0. 

3.2. Arbitrary Systems. Here we assume, exactly as in [37], that all 
polynomial systems (|5]) are the same, that is J-^ = J-". Our next results 
are a direct improvement of the estimate of [371 Theorem 4] for the 
sums Sa{N) and also an extension of such bound to more general sums 



We need the following generalisation of the bound on exponential 
sums of [361 Lemma 2], which avoids using the Weil bound (see [291 
Chapter 5] ) and which is our main tool in improving the result of [23 • 

Lemma 3. Let J-" G 5^(5*, m) with So,i . . . Sm-i,m 7^ 0, then there is a 
positive integer ko depending only on S and m such that for any integer 



k= (A;i,...,/c^), 1 = (Zi, ... min{fci,...,fc^,/i,...,/^} > fco 

with components that are not permutations of each other and integer 
vector a = (ag, . . . , ctm-i) with 

gcd(ao, . . . ,a^_i,p) = 1, 

for the polynomial 



vectors 



m—l 



V 




where the polynomials F- 



are given by IQ, we have 



p 



ep (Fa,k,i(wo, . . . , 



Wo,...,Wm = l 



where 



K = max{A;i, . . . , ki,,h, . . . , 1^}. 
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Proof. Let s < m — 1 be the smallest integer such that as 7^ 0. By 
Lemma [T] we have 

-^a,k,l(a;0) • • • ! Xm) 

m— 1 1/ 

= ^ ^^ CqXi ^ ^ ^(^^^^^(Xj+i, . . . , a^m) ~ Glh,i{Xi+l, • • • , a^m)^ 
j=s h=l 

m— 1 V 

+ ^ ^ ^ {^kh,i{^i+l^ ■ ■ ■ 1 ^m) ~ (3^1+1 ) • • • ) 2:^m)^ 

i=s h=l 

V 

h=l 

for a certain polynomial ^'a.k.Ka^s+i^ • • • > a;™) G Fp[xs+i, • • • , 



Therefore 



ep (Fa,k,i(a;o, • • • ,a::m)) 



a;o,.--,a;m=l 

P 

= / ^ ep (^a,k,i(a;s+i, . . . 
p 



Xs=l \ h=l 

Recalling the identity 

(9) VefcM)-/^' '^""^^ (modp), 

W 2^ep^cMj-<Q^ ifc^O (modp), 

see [Sni Equation (5.9)], we conclude that the sum over the variable Xg 
is nonzero only if the polynomial 

V 

$s,k,i = X^(Gfc^,s - Gi^^s) e Fp[Xs+i, . . . , Xm] 

is zero modulo p at (a^^+i, . . . , Xm)- 

Performing all trivial cancelations, without loss of generality we can 
also assume that the vectors k and 1 have no common elements. Thus, 
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by Lemma [H we see that if mm{/ci, . . . , ku,h, ■ ■ ■ Ju} > ko for a suf- 
ficiently large then the poljTiomial $s,k,i is a nontrivial polynomial 
modulo p of degree 0(i^'"~'*) = 0{K"^). Also, a simple inductive ar- 
gument shows that a modulo p nontrivial polynomial in r variables of 
degree D may have only 0{Dp'^^^) zeros modulo p, which concludes 
the proof. □ 

Theorem 4. Let the sequence {u„} he given by ([7]) for J^k = k = 
1,2,.. with a polynomial system T G 5^(5*, m) o/ t/ie /orm ([1]) o/ tota/ 
degree d > 2 and such that so,i . . . Sm-i,m 7^ 0. Assume that {w„} is 
purely periodic with period r. Then for any fixed integer v >1, positive 
integer N < t and nonzero vector a G the bound 

holds, where 

rn^ + mv + m ri r ^ 

Oim,u 7i 7 i ^ ana PmM 7i 

2v{m + v) 2v 
and the implied constant depends only on d, m and v. 

Proof. We follow the same argument as in the proof of Theorem 4] , 
however instead of the Weil bound we use now Lemma [3] (and thus we 
optimise the parameters differently). 

In particular, as in we obtain that for any integer K > ko, 

(10) {K~ko + l)\S^{N)\<W + K\ 

where fco is the same as in Lemma [3] and 

i=0 

Using the Holder inequality we derive (again exactly the same way as 

in m) 

K 

ki,ei,...,k^,i^=ko u;o,.--,«'meF"+^ 

For 0{K'^) vectors 

{ki. . . , ky) and (^i . . . , 4) 



W 
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which are permutations of each other, we estimate the inner sum triv- 
ially as 

For the other 0{K'^'^) vectors, we apply Lemma [3] getting the upper 
bound K"^p"^ for the inner sum. Hence, 

Inserting this bound in (11 01) . we derive 

Choosing 

K = 

(and assuming that p is large enough, so i^' > ko), after simple calcu- 
lations we obtain the desired result. □ 

Using Lemma [21 we derive the following improvement of [371 Theo- 
rem 6]. 

Corollary 5. Let the sequence {u„} he given by (JTj) for J-^ = J-", 
k = 1,2, . . ., with a polynomial system J-' G d{S, m) of the form ([T|) of 
total degree d> 2 and such that so,i . . . Sm-i,m 7^ 0. Assume that {w„} 
is purely periodic with period r. Then for any fixed integer u > 1, and 
any positive integer N < t, the discrepancy of the sequence 



^n,0 ^n,m— 1 

, . . . , 
P p 



n = N 



satisfies the bound O [p°'"^'''N ^'"•"(logp)™'), where 

rn^ + mz/ + m ^ a ^ 

(-^m,u ^ 7 I ^ ana Pm,u 7i 

2i/(m + u) 2v 
and the implied constant depends only on d, m and v. 

We note that the values of a^^y and j5ra,v in Theorem El and Corol- 
lary [5] improve on the values 

2vp? + 2mv + 2m + u jo ^ 

(^m,u 7 . \ anu Pm,u 7^ 

4u[m + uj 21/ 

from [37]. In particular, both Theorem H] and Corollary [5] are nontrivial 
ii T > N > with fixed e > (while the corresponding bounds 

of [37] are nontrivial only if r > > p"^+i/2+e) 
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Theorem 6. Let the sequence {u„} be given by ([7]) for = J^, k = 
1,2,.. with a polynomial system T G 5^(5', m) o/ the form ([T]) of total 
degree d > 2 and such that So,i . . ■Sm-i,m 7^ 0. Assume that {w„} is 
purely periodic with period r. Then for any fixed real e > 0, there exist 
6 > such that for for any positive integer N with t > N > and 
nonzero vector b G F^"*"-^ the bound 

holds and the implied constant depends only on d, m and e. 

Proof. If gcd(6o, • • • , &m-i,p) = 1 then the same argument as in the 
proof Theorem [6] leads to a fully analogous bound 

Thus for T > N > p™"*^^, taking a sufficiently large u we obtain the 
desired estimate. 

So it remains to consider the case 

6o = • • • = &m-i = (modp) and gcd{bm,p) = 1, 

in which case we simply obtain 

N-l 
n=0 

A trivial inductive argument shows that 

^" - 1 

(11) Un,m = + " _ ^m, n = 0, 1, . . . , 

if fifm 7^ 1 and 

(12) Un,m = nhm, 77, = 0, 1, . . . , 

if = 1 (where and hm are as in ([1])). 

We consider the case gm ^ ^ first in which we obtain 

N-l 

Tb{N) = ep{-bmhm{gm - 1)"^) ^ Bp (ferns'.^ (mq,™ + /?'m(5'm " l)""^)) • 

n=0 

Clearly, if t is the multiplicative order of gm then we see from (fTTj) that 
Mn,m, n = 0, 1, . . . , takes exactly t distinct values. Since the truncated 



ITERATIONS OF MULTIVARIATE POLYNOMIALS 



13 



vector u„ takes at most values we see that the full vector w„ takes 
at most tp"* values. Thus 

T < p'^t. 

Using the condition r > N > p^^^ we obtain 
(13) t > p'. 

In particular f|T3|) implies that 

Uo,m + hm{gm " 1)"^ ^ (mod p) 

as otherwise 

Ul,m = gmU0,m + = Mo,m (mod p) 

and t = 1. 

We now recall that by the result of [6], for any e > there exists 
?7 > such that under the condition (fT3|) we have 

t 

Y,^p{cgl)<^tp-'^ 

n=l 

which concludes the proof in the case of > 1. 

For = 1 we recall f lT2|) and then using (|9]) we derive the result. □ 

Using again Lemma |2l we derive the following generalisation of [371 
Theorem 6] (the bound is logp weaker as we work in the dimension 
m + 1 instead of m). 

Corollary 7. Let the sequence {u„} he given by ([7]) for Tk = J^, 
k = 1,2,..., with a polynomial system T G 5(5', vn) of the form of 
total degree d >2 and such that so,i . . . Sm-i,m 7^ 0. Assume that {w„} 
is purely periodic with period r. Then for any fixed real e > 0, there 
exist 7 > such that for any positive integer N with t > N > p™-+'^ 
the discrepancy of the sequence 

f^,...,^), n = 0,...,iV-l, 
\ P P J 

satisfies the bound O {p^^), where the implied constant depends only on 
d, m and e. 
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Certainly one can get stronger and more explicit statements in both 
Theoreminiand Corollary [7] if more information about the multiplicative 
order t modulo p is available. For example, if it is know that t > p^/^+^ 
then one can use the bound of Heath-Brown and Konyagin [22\ (see 
also [211 Theorem 3.4]) 

J2^p(^9l) « min{pi/2,pV4^3/8^y/8^5/8|_ 

For smaller values of t, but with t > p^^^ one can use the bound of 
Bourgain and Garaev [5], see also [23] . 

We remark that it is easy to see that a randomly chosen element 
g g¥* is of order t = p^+°^^^ with probabihty 1 + o(l) as p — )■ oo. 

Furthermore, it is also well-known that any fixed integer g ^ 0, ±1 
is of multiplicative order 

(14) t>p^l\ 

for all but oixj logx) primes p < x, see [IHIIIHIES] for various improve- 
ments of this result. 

3.3. Permutation Systems. We now consider polynomial systems of 
the form ([5]) which permute the elements of F™"*"^. Lidl and Niederre- 
iter [291 EO] call such systems orthogonal polynomial systems, but we 
here refer to them as permutation polynomial systems. 

We fix a sequence J-^, k = 1,2,..., of polynomial systems For 
integer vectors b = (6o, • • • , fem-i) ^ IF™ and a = (oq, . . . , Om) ^ F™+^ 
and integers c, M, N with M > 1 and iV > 1 , we consider the average 
values of exponential sums 

f/a,e(M,iV)= Yl 

Vi,,(M,iV)= Yl 

Wo,...,Wm&p 

where, as before, the polynomials F^*^' , i = 0, . . . ,m, k = 1,2, . . . are 
given by dHj). 



N-l 



'm— 1 



eM[cn) 



n=0 



.7=0 



N-1 



Wo, 



,Wr. 



eMicn) 



v.J=0 
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Then using Lemma[T]in the argument of [3^ one immediately obtains 
the following generalisation of the bound of exponential sums from [36j . 

Theorem 8. Assume that J-^ G ^{S, m), k = 1,2, . . ., are permutation 
polynomial systems and such that Sq^i . . . Sm-i,m 7^ 0. Then for 
any positive integers c, M , N and any nonzero vector b G we have 



where 



U^AM,N)<^A{N,p), 
A (AT \-S Np'^+^ if N <p^/^'^+'^\ 

A{ly,p) - j j^2^m(m+2)/{ra+l) if ^ ^ 



Exactly as in [36], this immediately implies a discrepancy bound 
which holds for almost all initial values v G F^"*"^. We note that 
in [36] only the case of when at each step the same polynomial system 
J-fc = J-" is applied but the proof, based only on the bound of the 
sums Ua,c{M, N), holds for distinct polynomial systems J-'k G 5^(5', m) 
without any changes. 

Corollary 9. Let < e < 1 and let the sequence {u„(v)} be given 
by (J?!) with the initial vector of initial values v G F™"'"^ where J-'k G 
'S{S,m), k = 1,2,..., are permutation polynomial systems ([5]), and 
such that so,i • . . Sm-i,m 7^ 0. Then for all initial values v G F™"*"^ except 
at most 0{ep"^'^^), and any positive integer N < p"^+^ ^ the discrepancy 
Dj^iy) of the sequence 



p p 

satisfies the bound 



n = N 



Djv(v)«£-^C(iV,p), 



where 



We now show that the distribution of the full vectors {w„(v)} can 
be studied as well. 

Theorem 10. Let J-^ G ^{S,m) be a sequence of permutation polyno- 
mial systems ([5]) and such that so,i . . . Sm-i,m 7^ 0, satisfying also the 
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additional condition that the last polynomial in all these systems has 
the same coefficient G Fp of X^, that is, 

Fk,m{^0, • • • ; ^m) = drnXm + /ifc,m; = 1, 2, . . . . 

Denote by t the period of Qm if dm ^ 1 OL^d put t = p if Qm = 1 ■ Then 
for any positive integers c, M , N and any nonzero vector b G F™^-'^ we 



have 
where 



V^,,{M,N)<^B{N,t,p), 



B{N,t,p) = A{N,p) + NH-^p"'+^ 
and A{N,p) is defined as in Theorem\^ 

Proof. Note, as before, that if gcd(6o, • • • ,bm-i,p) = 1 then the proof 
of [Ml Lemma 4] apphes to the sums Vb,c(^5 N) without any changes. 
So it remains to consider the case 

6o = • • • = hm~i = (mod p) and gcd(6m,p) = 1, 
in which case we simply obtain 



N-l 



n=0 



Vb,c(M,iV)= 

VQ,...,Vm&p 
N-l 

= "Y fiM{c{k - n)) 



en] 



k,n=0 



J2 e,{b^{Fi'\vo,...,v^)-Fj:\vo 



, . . . , 



») 



N-l 
k,n=0 



J2 ep (6„ {F^\v„ ...,v^)- i^W(T;o, . . .,v^))) 
We have the foUwing exphcit formulas (see also (fTT]) and (fT2|) ): 

if grriT^l and 



^if^ = gt^m + d^ k = 0,l 



, J- , . . . , 



(15) 



fc = 0,l,.... 



j=l 
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if 9n 



1, where 



1=1 



We treat first the case Qm ^ ^- In this case we get: 

N-l 



k,n=0 



J2 (^"^ i^dt - 9l)vm + dk- dn) ) 



N-l 

E 

k,n=0 
k=n (mod t) 



+ 



N-l 



k,n=0 
k^n (mod t) 



Gp {bm {{gt - 9l)Vm + 4 - dn) ) 

Vo,...,Vm&p 

Y {bm {{gt - 9m)Vm + dk - dn)) 



Because gm~9m = (mod p) if and only if A; = n (mod t), we estimate 
the first sum trivially as N{Nt~^ + 1)^"^"'"-'^. Furthermore, for k ^ n 
(mod t), using Qj we see that the second sum simply vanishes. 
Thus, for (yfm 7^ 1, we obtain 



Vb,c{M,N) < A{N,p) + N{Nt-^ + = A{N,p) + NH-^p"'+\ 

For the case = 1 we recall ffT5l) and using similar arguments easily 
derive the desired result. □ 

As above, we now get: 

Corollary 11. Let < £ < 1 and let the sequence {u„} he given 
by ([7]), where Tk £ 5^(5', m) is a sequence of permutation polynomial 
systems ([5]) satisfying also the additional condition that the last poly- 
nomial in all these systems has the same coefficient g^ G IFp of X^, 
that is, 



Fk,m{XQ, . . . , Xm) — gmXm + h 



k,mi 



= 1,2, 



Denote by t the period of g^ if gm ^ ^ cind put t = p if = ^ ■ Then 
for all vectors of initial values v e F^+^ except at most 0{ep"^'^^), and 



18 



ALINA OSTAFE AND IGOR E. SHPARLINSKI 



any positive integer N < p'^+i^ the discrepancy Dn{-v) of the sequence 

f Mn,o(v) Mn,m(v) 
I ) • • • ) 

\ P P 

satisfies the bound 

DN{v)<^E-'D{N,t,p), 

where 

D{N,t,p) = C{N,p) hgN + t-^^^{\ogN)"'+Hogp 

andC{N,p) is defined as in Corollary\^ 

It is easy to see that under the condition (fT4|) the quantities B{N, t, p) 
and D{N,t,p) are dominated by the terms with A{N,p) and C{N,p), 
respectively: 

B{N, t, p) < A{N, p) and D{N, t, p) < C{N, p) log A^. 

Finally, we remark that analogues of Theorem [10] and Corollary [11] 
can be proven also for more general permutation polynomial systems, 
namely for systems in which the coefficients gj^m of in the last 
polynomial of each system vary in such a way that 

k n 

(16) W9j,m ^ W9j,m (mod p) 

j=i i=i 

is k and n are close to each. In fact, if this is guaranteed for k and n 
with < \k — n\ < t then the corresponding results for such polynomial 
systems look identical to those of Theorem [10] and Corollary [11] For 
examples included such sequences of coefficient as gj^m = gin some 
element gm G F*. In this case, the condition ( !T6|l is equivalent to the 
quadratic congruence 

k{k + 1) = n{n + 1) (mod 2t), 

where t is the order of gm which can be easily shown not to have too 
many solutions with < k,n < N — 1 {in particular, if t is prime 
the results are again exactly the same as those of Theorem [10] and 
Corollary [n]). 



n 



.N 
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4. Hash Functions from Polynomial Iterations 

4.1. General Construction. In this section we propose a new con- 
struction of hash functions based on iterations of polynomial systems 
studied in the previous sections. This construction is motivated by 
that of D. X. Charles, E. Z. Goren and K. E. Lauter [7] and in some 
sense it may be considered as its extension. 

Let n and r be two nonzero integers. Choose a random n-bit prime 
p and permutation polynomial systems J-"^, £ = 0, . . . , 2^ — 1, not 
necessary distinct, defined by ([5]) and (E]). 

We also consider a random initial vector wq G F^"*"^. 

As in [7], the input of the hash function is used to decide what 
polynomial system J^i is used to iterate. More precisely, it works as 
follows given an input bit string S, we execute the following steps: 

• pad S with at most r — 1 zeros on the left to make sure that its 
length L is a multiple of r; 

• split S into blocks 0"^, j = 1, . . . , J, where J = L/r, of length r 
and interpret each block as an integer £ G [0, 2'" — 1]. 

• Starting at the vector wq, apply the polynomial systems 
iteratively obtaining the sequence of vectors Wj G F™+^. 

• Output wj as the value of the hash function (which can also be 
now interpreted as a binary (m + l)n-bit string). 

The above construction is quite similar to that of [7] where m = 1, 
the vectors represent the coefficients of an equation describing an 
elliptic curve for example, of the Weierstrass equation 

= X^ + sX + r 

and polynomials maps are associated with isogenies of a fixed degree. 

4.2. Collision Resistance. Our belief in collision resistance is essen- 
tially based on the same arguments as in [7]. 

We remark that the initial vector wq is fixed and in particular, does 
not depend on the input of the hash function. Furthermore, the col- 
lision resistance does not rely on the difficulty of inverting the maps 
generated by the polynomial systems which are triangular and actu- 
ally quite easy to invert. Rather, it is based on the difficulty of making 
the decision which system to apply at each step when one attempts 
to back trace from a given output to the initial vector wq and thus 
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produce two distinct strings Si and S2 of the same length L, with the 
same output. 

Note that for strings of different lengths, say of L and a collision 
can easily be created. It is enough to take S2 = (0, Ei) (that is, S2 is 
obtained from Si by augmenting it by 0). If L ^ (mod r) then they 
lead to the same output. Certainly any practical implementation has 
to take care of things like this. 

We also note that the results of Section 13.31 suggest that the above 
hash functions exhibit rather chaotic behaviour, which is close to the 
behaviour of a random function. We certainly make no claims about 
the cryptographic strength of our construction but we believe that there 
are enough reasons to investigate it (theoretically and experimentally) 
more closely. 



In the proof of Lemma [3] we use the estimate O (deg $^5^k,iP™~*^^) 
on the number of zeros of the polynomial $s,k,i- Perhaps this bound 
is hard to improve in general, but maybe this can be done for some 
specially selected polynomial systems. For example, if one can show 
that $s,k,i is absolutely irreducible then the Lang- Weil bound on the 
number of zeros of a polynomial in m > 2 variables, see HO], can 
be used to derive a better result. Even the case of = 1 is already of 
interest. 

Furthermore, although low discrepancy is a very important require- 
ment on any pseudoramdom number generator, this is not the only 
one. For example, the notion of linear complexity also plays an im- 
portant role in this area, see [H]. In the case of vector sequences it 
is natural to consider linear relations with vector coefficients. Namely, 
we denote by L{N) the smallest L such that for some m-dimensional 
vectors Cq, . . . , over Fg where C/, is a non-zero vector, we have 



for all h = 0, . . . , N — L — 1, where c • u denotes the scalar product. 
Using the same degree argument which is used in the proof of Lemma [3l 
we see that (fT7|l leads to a nontrivial polynomial equation in m -|- 1 



5. Remarks 



L 



(17) 




h=0 
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variables over ¥p of degree 0{U^). Since for N < t, where as r is 
the period of the purely periodic sequence {w„}, the vectors Wn+h, 
h = 0,...,N — L — 1 are pairwise distinct, this yields the estimate 

L{N) > A^i/>-\ < < r. 

This can be extended to sequences over arbitrary finite fields. Several 
more estimates of this type have recently been given in [38]. It would 
be very interesting to get better bounds which rely on a more refined 
analysis of (ITTll . 
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